Skip to content

On 22 April 2022, the Financial Conduct Authority (FCA) published its multi-firm review of challenger banks’ financial crime controls. The review provides a comprehensive overview of the FCA’s approach to the use of technology in client onboarding, and is relevant not just to challenger banks but to a wide range of financial services businesses subject to the FCA’s requirements around anti-money laundering and customer due diligence.

Does the review have wider applicability than just challenger banks?

In our view, yes. Although the FCA focuses on challenger banks due to the prevalent use of technology in their onboarding processes, the review has a broad applicability and will be of interest to private banks, wealth and asset managers who are deploying technology to make onboarding easier.

The FCA notes that there are limited differences in the inherent financial crime risks faced by challenger banks as compared with traditional retail banks. Thus, the FCA is targeting the review at “Money Laundering Reporting Officers and industry practitioners working in financial crime roles” generally, and not just at individuals holding those positions at challenger banks.

For a summary of the key takeaways from the review click here.

Why did the FCA conduct this review?

The FCA conducted its review of challenger banks after the UK’s 2020 “National Risk Assessment of Money Laundering and Terrorist Financing” highlighted the risk that criminals might be attracted by the streamlined onboarding processes advertised by challenger banks, especially when establishing money mule networks.

Preventing anti-money laundering remains a key area of focus for the FCA. The review comes in the wake of two high profile cases against retail banks for weaknesses in their anti-money laundering controls – the criminal conviction and £264.8 million fine of NatWest and the £64 million fine of HSBC, both in December 2021. The review also follows the May 2021 Dear CEO letter by the FCA’s Director of Retail Banking and Payments Supervision, David Geale, addressing the common control failings across all firms’ financial crime systems, showing that these issues are certainly not exclusive to challenger banks. The FCA’s business plan for 2022 / 23 includes the recurrent aim of reducing financial crime by lowering the incidence of money laundering through the firms it supervises. The review is therefore relevant across the financial services sector.

What did the review cover?

The review focused on a sample of six relatively new challenger banks offering quick and easy application processes, and it covered over eight million customers. The review did not include e-money issuers nor payment services providers.

The review covered:

  • governance and management information;

  • policies and procedures;

  • risk assessments;

  • identification of high risk / sanctioned individuals or entities;

  • due diligence and ongoing monitoring; and

  • communication, training and awareness.

The review was conducted prior to the expansion of sanctions against Russia, and did not cover the sanctions regime in detail. However, the FCA noted that “the main financial crime and money laundering controls we assessed equally apply to firms’ management of sanctions, specifically in respect of the risk that firms are utilised for sanctions evasion”.

What “good practices” and “bad practices” were identified by the FCA?

Good practices

Innovative uses of data:

    • Firms made effective and innovative use of data and information to mitigate risks. This included non-traditional approaches – using video selfies, mobile phone geolocation data and photo images of passports – to identify, verify and monitor customers.

Tailored and regularly updated, and stand-alone, financial crime policies:

    • The FCA highlighted evidence of stand-alone financial crime policies and procedures that firms regularly updated and which were tailored to the financial crime risks their businesses could give rise to.

Account monitoring and monitoring at onboarding

    • Some firms mitigated the risk of fraud by monitoring for known fraud typologies at onboarding and as part of account monitoring. This included Credit Industry Fraud Avoidance System (CIFAS) checking and checks on customers using multiple devices to manage their accounts.

Areas that need improvement

Customer risk assessment (CRA)

    • CRA refers to various measures taken to analyse the potential risks that a customer might bring to an organisation. This involves, amongst other things, collecting information about customers (see notes on customer due diligence below), and then assigning a risk rating to them which is proportionate to the AML risk that they pose – this process also informs whether enhanced due diligence is necessary. Some firms had poorly developed CRA frameworks, with others lacking these entirely. The FCA noted CRAs are essential to ensure the risks a customer relationship presents to a firm are captured. Without CRAs, firms cannot ensure due diligence measures and ongoing monitoring are effective and proportionate to the risks posed by its individual customers.

Customer due diligence (CDD) and enhanced due diligence (EDD)

    • The FCA identified that most firms studied as part of its sample did not obtain full customer information that enabled the firm to assess the risk posed by the customer. Examples given included lack of information about their income and occupation.

    • Some firms relied on their transaction monitoring systems to identify higher risk customers. These are systems used to monitor a customer’s transactions such as transfers, deposits and withdrawals. The FCA reminded firms that no matter how good a transaction reporting system is, firms must still comply with CDD requirements at the customer onboarding stage and inadequate CDD will mean a less effective transaction monitoring system.

    • Certain firms were not consistently applying EDD and did not document EDD as a formal procedure. In one example, a firm was unable to identify high-risk customers that were not PEPs and so could not mitigate the higher risks posed by these customers effectively.

Financial crime change programmes

    • The global regulatory landscape regarding AML is always evolving and firms need to stay informed about changing laws and regulations that affect them. To meet the demands of this evolving landscape, firms should put in place internal programs to horizon scan for new laws coming down the line, and ensure that they are ready to implement any changes required internally to meet new requirements in good time before they take effect.

    • In its review, the FCA found some firms had weaknesses in the management of their financial crime change programmes including inadequate oversight and a lack of pace in implementation, meaning their control frameworks were not keeping up with changes to their business models.

Ineffective transaction monitoring alert management

    • The FCA observed ineffective management of transaction monitoring alerts, including:
      • inconsistent and inadequate reasons for discounting alerts;
      • a lack of basic information recorded in investigation notes; and
      • a lack of rounded reviews of the alerts.
    • The FCA also found examples of alerts not being reviewed in a timely way due to lack of resources which affected firms’ ability to make suspicious activity reports (SARs) as soon as practicable, as required by the Proceeds of Crime Act 2002 (POCA).

SARs submissions

    • Whilst the volume of SARs and Defence Against Money Laundering (DAML) reports substantially increased, the reports were frequently in respect of low amounts and of poor quality so less likely to result in law enforcement. For example, some SARs:

      • were not specific about circumstances that gave rise to a suspicion of money laundering;
      • provided transactional data but did not include reasons why those transactions were suspicious; and
      • were incorrectly used to report fraud and / or send information about predicate offences rather than suspicious activity related to the specific activity that creates reasonable suspicion of funds being the proceeds of crime.
    • Regarding DAMLs, reports were frequently being made when firms exited customers that did not fit with their risk appetite. The FCA notes these customers should not have been onboarded in the first place, and possibly would not have been onboarded if these firms had better controls and risk assessments at the onboarding stage.

    • Due to a disconnect between teams receiving court orders, teams processing SARs and the relevant compliance teams, some firms were allowing the subject of a DAML to continue transacting despite awaiting a response from the UK Financial Intelligence Unit (UKFIU).

Principle 11 notifications

    • Per Principle 11, firms are expected to notify the regulator of anything relating to a firm of which the FCA would reasonably expect notice.

    • The FCA found instances of significant financial crime control failures, without any Principle 11 notifications being made.

What are the key take-aways for firms following the review?

  • All firms subject to the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017:

    • must have in place systems and controls to identify, assess, monitor and manage money laundering risk, and these must be comprehensive and proportionate to the nature, scale and complexity of a firm’s activities; and

    • should ensure they identify and collect relevant information needed to have a complete picture of all financial crime risks, including
      fraud, associated with the customer relationship.
  • Firms should have in place robust customer risk assessments and keep their customer risk assessment framework updated so it reflects changes to business models and products.

  • Firms should consider tailoring their financial crime policies to the risks their particular business faces.

  • There should be a focus on customer due diligence at the onboarding stage to prevent sole reliance on transaction monitoring as the principal tool to identify higher risk customers.

  • At the onboarding stage, firms should seek to obtain a full picture of a customer’s risk profile, including income and occupation details.

  • Enhanced due diligence should be consistently applied and documented as a formal procedure, that captures all high-risk customers and not just politically exposed persons.

  • In the management of financial crime change programmes, firms are expected to have clear project plans for control enhancements outlining key milestones, accountable executives and delivery dates. The FCA also expects the CEO, Risk Committee and Audit Committee to be involved in overseeing material developments to financial crime change programmes, in addition to the accountable executive of a change programme.

  • Firms must have adequate resources in place to fully consider customers’ activity as part of their review of transaction monitoring alerts. This should include reviewing what the firm knows about the customer, including previous alerts and information it collected on the customer (such as income, the nature and purpose of the account and payment references).

  • Firms should refer to the appropriate UKFIU publications when making a disclosure under POCA, in conjunction with the guidance issued by the Joint Money Laundering Steering Group and the FCA’s Financial Crime Guide. Firms are also reminded to consider their obligations for consumer safeguarding through more appropriate channels, such as Action Fraud.

  • Firms are reminded of their obligations under Principle 11 of the FCA’s Handbook to disclose to the FCA appropriately anything relating to the firm which its regulators would reasonably expect notice.

Next steps

The review provides an opportunity for FCA authorised firms subject to the MLRs to review their financial crime controls and ensure that they have effective policies and procedures in place.

Going forward, the FCA advises “continuously” making sure such controls appropriately tackle money laundering and ensuring their approach remains commensurate with any expansion of a firm’s business.

If you require further information about anything covered in this briefing, please contact Grania Baird, Andy Peterkin, Kya Fear or your usual contact at the firm on +44 (0)20 3375 7000.

This publication is a general summary of the law. It should not replace legal advice tailored to your specific circumstances.

© Farrer & Co LLP, May 2022

This site uses cookies to help us manage and improve the website and to analyse how visitors use our site. By continuing to use the website, you are agreeing to our use of cookies. For further information about cookies, including about how to change your browser settings to no longer accept cookies, please view our Cookie Policy. Click for more info

Back to top